Breach Prevention: Beyond TechnologyHow Security Pros Can Address the Human Factor
Too many organizations fail to adequately address data security issues until after a breach occurs. But even those that proactively address data security may only be dealing with a part of the solution.
From my geek prospective, I have to admit it is more interesting to talk about firewalls, router security, mobile device management, encryption and the like. But technical security is not enough. Companies need to address the weakest link in almost any security scheme - the human factor.
There is no magic pill to preventing all breaches or to mitigating the vulnerabilities presented by the human factor.
Think of it this way: What if you built the most secure home in the world, but then provided criminals the schematics, keys and keypad codes? That's exactly what companies are doing if they fail to draft clear policies, provide proper training and perform testing and audits.
Acknowledge the Risks
Denial is a pervasive sentiment in data security. Many organizations think they will never be the target of an attack or doubt that their employees would ever willingly give up the keys to the kingdom.
One of my good friends does security testing for major companies, including a nuclear facility. He explained to me that once he was able to gain access to the plant's schematics by pretending to be a computer service technician - avoiding security protocols from the front door to the passwords on the head engineer's computer terminal. But this anecdote is not unique or just in the context of third-party testing.
Many data breaches start with some form of human error. The top attack vectors remain non-technical, such as abuse of system access or privileges, use of stolen credentials, social engineering, bribery, embezzlement or skimming.
For example, spear phishing has long been a favorite of hackers. You've probably been a target - that e-mail that says you won a prize, have a security issue that needs to be resolved or are the subject of a Better Business Bureau complaint and need to respond. Once you click on the link, malware is loaded to your computer and the hacker now has access to whatever the user can access. This type of attack was apparently the cause of the massive breach at the South Carolina Department of Revenue.
Given the commonality of these and similar attacks, why would anyone spend the money on building a secure house only to give the keys away? But that is precisely what happens when companies fail to have the proper policies - as well as sufficient training, auditing and testing - in place.
The place to start is having the proper policies. The list can be long, depending on the complexity of the company's systems.
Whether in a single document or as separate policies, systems users should be instructed on recruiting and hiring; acceptable use; social media; remote access; termination; physical security; incident response and other issues. These policies will need to be tailored to the culture of the company.
A policy written in legalese won't help. We need employees to understand the instructions and guidance not only for later enforcement, but, more important, so that they can comply with them.
The clarity of the policies and related procedures is essential to day-to-day compliance. Sufficient training is important and a key factor of a sound compliance program.
All employees should be instructed on what is permitted and prohibited. Best practices - and warnings as to current threats - should be communicated regularly.
A virtual resource room should be established to address frequently asked questions and reaffirm updates on current trends and threats. Employees should be reminded that they are ultimately responsible and will be held accountable for any violations.
Making It Clear
It's essential that both the training and the policy be easily understood by employees.
In 2006, I wrote an article on what should be addressed in an incident response plan. These basic requirements have not changed over time and are in place at most organizations. One key component is making it clear who to contact in the event of a breach.
Recently, a client had a breach involving data it was handling for one of its customers. The sales representative discovered the breach and went directly to the customer. This may not seem like such a big deal. However, having an effective communication plan is essential to data breach response. By not following the protocols, we were forced to respond at the same time we were conducting the investigation.
Clearly, having a policy and training is not enough. The policies should be tested and audited.
In the above example, I know that the sales representative's intentions were good. I also know that he had forgotten about the incident response plan and was not familiar with the details. Testing and auditing may have reminded him to access the virtual resource room or other materials that would have guided him on the company's policies for reporting an incident.
For other issues, such as dealing with spear phishing, use of social engineering toolkits and other devices can aid in such testing. Ultimately, you may not stop the employee from clicking on the malicious link, so data access monitoring becomes essential.
There is no magic pill to preventing all breaches or to mitigating the vulnerabilities presented by the human factor. However, ignoring the issue or thinking that this is not an issue for your company is not the answer.
When a breach occurs, regulators, plaintiff's counsel, the media and others will look to whether enough was done.(Ronald Raether is a partner at the law firm Faruki Ireland & Cox P.L.L. in Dayton, Ohio, where he specializes in technology and privacy issues.)